So .... why does fragmentation cause a problem? Packets are fragmented all the time in network traffic but stuff still works. Are you saying credentialling packets can't be fragmented?RH___________________________________-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Myrick, Todd (NIH/CC/DNA) [E]
Sent: Tuesday, March 14, 2006 2:55 PM
To: [email protected]
Subject: RE: [ActiveDir] Communication across a trust...with firewallsYou might also want to investigate if you are using TCP or UDP packets with your authentication request. By default Kerberos uses UDP, so a lot of firewalls will fragment the packets and cause authentication issues.
Todd Myrick
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Almeida Pinto, Jorge de
Sent: Tuesday, March 14, 2006 2:47 PM
To: [email protected]
Subject: RE: [ActiveDir] Communication across a trust...with firewalls
lets say the structure is:
CLIENT-DOMAIN_A ..... DC-DOMAIN_A ...... DC-DOMAIN_B ...... MEMBERSRV-DOMAIN_B
if NTLM is used the order of authentication is:
(1) CLIENT-DOMAIN_A wants to access MEMBERSRV-DOMAIN_B
(2) CLIENT-DOMAIN_A connects to MEMBERSRV-DOMAIN_B
(3) MEMBERSRV-DOMAIN_B connects to DC-DOMAIN_B and asks do you know: CLIENT-DOMAIN_A
(4) DC-DOMAIN_B says NO, but I do trust DOMAIN_A. Let me check.
(5) DC-DOMAIN_B connects to DC-DOMAIN_A and asks do you know: CLIENT-DOMAIN_A
(6) DC-DOMAIN_A says: yes, it's OK
(7) DC-DOMAIN_B sets up an access token for domain B for CLIENT-DOMAIN_A.
(8) CLIENT-DOMAIN_A accesses MEMBERSRV-DOMAIN_B
if KERBEROS is used the order of authentication is:
(1) CLIENT-DOMAIN_A wants to access MEMBERSRV-DOMAIN_B
(2) CLIENT-DOMAIN_A connects to DC-DOMAIN_A and asks for a ticket to access MEMBERSRV-DOMAIN_B
(3) DC-DOMAIN_A says: let me check, just a sec.
(4) DC-DOMAIN_A says: that server does not exist within the domain or the forest. However I do have a trust with DOMAIN_B. Go to DC-DOMAIN_B
(5) CLIENT-DOMAIN_A connects to DC-DOMAIN_B and asks for a ticket to access MEMBERSRV-DOMAIN_B
(6) DC-DOMAIN_B says: let me check, just a sec.
(7) DC-DOMAIN_B says: here's your ticket and access token. have fun
(8) CLIENT-DOMAIN_A accesses MEMBERSRV-DOMAIN_B
the problem is that only DC-DOMAIN_A and DC-DOMAIN_B can communicate through the firewall with each other. Other communication paths are not available or possible because of the firewall configuration.
Or did I miss something?
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
( Tel : +31-(0)40-29.57.777
( Mobile : +31-(0)6-26.26.62.80
* E-mail : [EMAIL PROTECTED]
From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED]
Sent: Tue 2006-03-14 16:35
To: [email protected]
Subject: [ActiveDir] Communication across a trust...with firewallsWithin a domain, when a user's credentials are presented to a member server, that member server communicates with the domain controller to validate the creds.
We have a cross-forest (cross–company; a divestiture) trust set up that we are testing. A member server in the other forest/domain and across the firewall is having trouble authenticating credentials from our domain. Their DC works fine. Ports on the firewall are only opened for the two domain controllers (one on each side).
Here's the question: in order to validate the "foreign" credentials, should the member server be looking first to its own DC, or is it trying to cross the firewall to find our DC? Based in the preliminary traffic sampling so far, I think that's what is happening. Is that normal/expected behavior?
TIA,
AL
Al Maurer
Service Manager, Naming and Authentication Services
IT | Information Technology
Agilent Technologies
(719) 590-2639; Telnet 590-2639
http://activedirectory.it.agilent.com
Not necessarily, but some packets are extremely sensitive to fragmenting. Security focused packets tend to fall into this category because of the nature of what they do and how they do it (checksums etc don't like to be fragmented). Kerberos especially tends to dislike being fragmented and although perfectly fine in a networked world, it doesn't work for Kerberos as well. Can give you some crazy results.
As for the original question, as Jorge points out, it really does depend on the protocol and the way you access things. I was just helping with some similar scenarios, oddly enough. Must be something with the weather? :)
Here's Microsoft's docs on the subject if you're interested to see the graphical version.
I haven't used the documenation to test the scenario, but it should give an idea. </disclaimer>
On 3/14/06, Rocky Habeeb <[EMAIL PROTECTED]> wrote:
- RE: [ActiveDir] Communication across a ... Simon Bembridge
- Re: [ActiveDir] Communication acro... Al Mulnick
- RE: [ActiveDir] Communication acro... Jeff Salisbury
- RE: [ActiveDir] Communication acro... Olivarez, Sergio J Mr CTNOSC/GD-NS
- RE: [ActiveDir] Communication acro... al_maurer
- RE: [ActiveDir] Communication acro... Arthur Freyman
- RE: [ActiveDir] Communication acro... Myrick, Todd \(NIH/CC/DNA\) [E]
